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Abstract 

In recent years Quantum Key Distribution (QKD) has emerged as 
the most paradigmatic example of Quantum technology allowing the real- 
ization of intrinsically secure communication links over hundreds of kilo- 
meters. Beyond its commercial interest QKD also has high conceptual 
relevance in the study of quantum information theory and the founda- 
tions of quantum mechanics. In particular, the discussion on the minimal 
resources needed in order to obtain absolutely secure quantum communi- 
cation is yet to be concluded. Here we present an overview on our last ex- 
perimental results concerning two novel quantum cryptographic schemes 
which do not require some of the most widely accepted conditions for re- 
alizing QKD. The first is Goldenberg-Vaidman protocol [I], in which even 
if only orthogonal states (that in general can be cloned without altering 
the state) are used, any eavesdropping attempt is detectable. The second 
is N09 protocol [2] which, being based on the quantum counterfactual ef- 
fect, does not even require any actual photon transmission in the quantum 
channel between the parties for the communication. 

Introduction 

Quantum Key Distribution (QKD) [31 3] is beyond doubt the most promising 
application in the field of quantum technologies. It is a method that allows two 
distant partners to share a common key to be used in order to perform a cryp- 
tographic communication whose security does not depend on the technological 
level of an eventual spy, being based on the fundamental laws of nature and in 
particular on the properties of quantum systems. 

In the last decade QKD is moving from laboratories to become a mature 
technology for commercialization [5]; communications over more than 100 km 
having been achieved both in fiber [5] and open air [7J. 
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However, beyond its commercial interest QKD represents also a fruitful test 
bed of concepts and ideas blossoming from quantum information theory and 
studies on foundations of quantum mechanics [31 HI HOI H21 [H H31 S3 El E] - In this 
paper, after a general introduction to the topic, we present an overview on two 
novel QKD schemes, based on orthogonal states, which bring groundbreaking 
contribution in the debate on the actual resources needed to ensure the security 
of quantum communication. Indeed, before the proposal of Goldcnbcrg and 
Vaidman [T] it was considered as established that non-orthogonal or entangled 
states were needed for QKD. This proposal, and later the one of T. G. Noh [2J, 
demonstrated that non-orthogonality is not necessary, opening a new chapter for 
quantum communication, QKD with orthogonal states. The paper is structured 
as follows: the first section after some brief historical information is addressed 
to the introduction of quantum cryptography and the description of the most 
studied protocols; the second section introduces the Goldenberg and Vaidman 
protocol based on the use of orthogonal states and describes its experimental 
implementation [TT]; the third section concerns the N09 protocol as proposed 
by T. G. Noh, also dubbed Counterfactual QKD and its realization|12); finally 
some final remarks and future perspectives are discussed. 

1 From classical to quantum cryptography 

In this section a brief introduction on classical and quantum cryptography is 
given. The aim is to follow the historical path that led to current cryptographic 
systems and quantum cryptography. 

1.1 Classical Cryptography 

Cryptography concerns methods to encode messages so as to ensure privacy 
from anyone other than the authorized users. Generally, the exchange of mes- 
sages takes place between two characters named Alice (A) and Bob (B). A third 
character, Eve (E), attempts to intercept and decode the message. The message 
to be sent from Alice to Bob is usually dubbed "cleartext" . To do this transmis- 
sion safely Alice uses an algorithm (crypto-system or "cipher" ) able to combine 
the cleartext with some additional information ("key") which is shared in an 
exclusive way between A and B. The text thus obtained is called "cryptogram". 

Crypto-analysis, which is the study of how to decode a ciphered text with- 
out being in possession of the key, evolves in parallel to the development of 
cryptography. 

Cryptography protocols can be divided into two main classes: symmetrical 
and asymmetrical. Protocols for which the key used to encrypt the message 
is the same that is used to decode it, belong to symmetrical cryptography. 
In asymmetric cryptographic systems, the key used to encrypt the message is 
different from that used to decode it. 
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1.2 Symmetrical Key Distribution Protocols 

The cryptographic systems with symmetrical key are the most intuitive and 
oldest methods used to encode messages. 

For example, one of the most ancient crypto-systems is the Spartan scy- 
tale The scytale is composed of a wood stick around which is coiled a tape. The 
result is a cylindrical surface to write. Unrolling the tape and reading the mes- 
sage leads to a sequence of letters apparently without meaning. This sequence 
recovers its original significance when the tape is rewound on a stick with the 
same diameter to the original one. In this case the key of the protocol is the 
wood stick. The two parties must possess a wood stick of same diameter for 
exchange messages. 

Another important cryptographic system has its origin back in Julius Caesar 
times. The Caesar cipher requires each letter that composes the message to 
be replaced with one that is three positions ahead in the alphabetic order as 
shown in Tabic [T] 



Normal alphabet 


ABCDEFGH I LMNOPQRSTUVZ 


Chipcr alphabet 


DEFGHI LMNOPQR STUVZABC 



Table 1: Caesar chiper 



In this case the key of system is 3, corresponding to the number of positions 
shifted. Obviously, with the same system is possible to use different keys. A 
trivial example that illustrates the protocol is shown in Table [5] 



clcartcxt 


NOCTEADORT I 


ciphcrtcxt 


QRFZHDGR. UZN 



Table 2: Example of application of Caesar cipher 

Obviously, a cipher like this is very simple to decrypt as the key has only 20 
possible values. Caesar cipher and, in general, all methods for which a letter is 
encoded with the same symbol for the entire length of the message are said to be 
based on mono-alphabetic substitution. This type of cryptographic systems 
can be decrypted by applying a technique known as frequency analysis. The 
first known recorded explanation of frequency analysis (indeed, of any kind of 
cryptanalysis) was given in the 9th century by Al-Kindi, an Arab polymath, in 
"A Manuscript on Deciphering Cryptographic Messages" . It has been suggested 
that close textual study of the Qur'an first brought to light that Arabic has a 
characteristic letter frequency. Frequency analysis is based on the fact that, in 
any given stretch of written language, certain letters and combinations of letters 
occur with varying frequencies. Moreover, there is a characteristic distribution 
of letters that is roughly the same for almost all samples of that language. 
For instance, given a section of Italian language, E, A, I and O are the most 
common, while Z, Q and V are rare. So by analyzing a message, coded with the 
monoalphabetic substitution, one can obtain the frequency spectrum of each 
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symbol. Comparing it with the one relative to the letters of a given language 
one can derive the key to decrypt the message. 

The natural evolution of this cryptographic system is the use of more than 
one alphabet for encoding the message. The key will be used to indicate which 
alphabet to use for each letter. This type of cryptographic system is known 
as polyalphabetic substitution. The first complete description of a crypto- 
graphic system based on polyalphabetic substitution dates back to Leon Bat- 
tista Alberti (circa 1467), who used a metal cipher disc to switch between cipher 
alphabets. Alberti's system only switched alphabets after several words, and 
switches were indicated by writing the letter of the corresponding alphabet in 
the ciphertext. 

Years later, in 1508, Johannes Trithemius invented the Tabula Recta. The 
tabula recta is a square table of alphabets, each row of which is made by shifting 
the previous one to the left. In his system data are encrypted by switching 
each letter of the message with the letter directly below, using the first shifted 
alphabet. The next letter is switched by using the second shifted alphabet, and 
this continues until the end of the message. 

Around 1586 Blaise de Vigenere developed a more secure system always 
based on Tabula Recta. This protocol is called Vigenere cipher. The differ- 
ence from the previous one is that the sequence of alphabets used to encrypt the 
message was not consecutive, but dictated by a word or phrase: the key. Each 
letter of the key is matched with a letter of the message, the key is repeated 
along the length of the message. In Table [3] is shown a simple example on the 
operation of the Vigenere cipher, where the keyword is: "GREEN" . 
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Table 3: Vigenere cipher 



For many years this cryptographic system was considered impossible to vi- 
olate. In 1863 the first publication on an attack at the Vigenere cipher was 
realized. This method, known as Kasiski examination, allows to determine the 
length of the key; then one can apply the frequency analysis on each alphabet. 
The Kasiski examination consists in the research in the encrypted text of equal 
strings. If these are encoded with the same part of the key then the distance 
between the parts must be an integer multiple of the key length. Moreover, the 
key was usually a word or a phrase whereby is not necessary to earn each let- 
ter with the frequency analysis. For example if one obtained from the analysis 
only a few letters of the key as "G*EE*" is not difficult to understand that the 
keyword is "GREEN" . 

In 1917 Gilbert Vernam, an engineer at Bell Labs, modified the Vigenere 
cipher to make it more secure. The Vernam cipher is also called One-Time 
Pad. This cryptographic system is based on three conditions: 

• the key must have the same length of the message 
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• it must be used only one time 

• it must be randomly generated 

The condition on the key length makes the single message completely immune 
from the frequency analysis. Notwithstanding that the same type of alphabet 
is used for encoding more than one letter it is impossible to determine where 
this alphabet is used. The second condition addresses the issue that if the 
key is used more than one time, in principle, Eve can collect all messages and 
then apply the frequencies analysis on the same position of all texts. Finally, 
if the key is randomly generated no correlation between successive alphabets 
can be found, at variance with the case of Vigenere cipher. After the end 
of World War II (1949) Claude Shannon demonstrated that One-time pad is 
unbreakable [13] With the development of computer science all communications 
have been converted to digital encoding, so both the key and the message are 
now composed by digital bits. As a consequence, all cryptographic systems 
are now based on binary operations. For example for encoding messages the 
logic XOR operation is used between the key and the message bits. The three 
conditions necessary for the cipher to work present different practical difficulties. 
In fact, the problem of the frequent transmission of the key bits (which have to 
be strictly random) through a secure channel leads to the main technological 
issue related to modern cryptography (key distribution). However this problem 
can in principle be solved with the use of quantum cryptography as we shall 
address in section [L4l 

1.3 Asymmetrical Key Distribution 

The second class of cryptographic protocols is composed by asymmetrical cryp- 
tosystems, more commonly called public key cryptosystcms. The fundamental 
characteristic of these protocols is that the key used for encoding the message 
(called "public key" ) is different from the one used to decode it (called "private 
key"). The public key is exchanged between Alice and Bob through a public 
channel and it could be, in principle, intercepted by Eve. On the contrary, the 
private key remains always in possession of Alice and Eve cannot get hold of it 
in any way. Another fundamental characteristic of this kind of protocols is the 
possibility of establishing a shared secret-key over an authenticated (but not 
private) communications channel without using a prior shared secret. To give 
an idea of how the asymmetric protocols work, suppose that Bob wants to send 
a message to Alice. Imagine that Alice sends Bob a box and an open padlock 
(public key). Bob puts the message in the box, closes it with the padlock and 
sends the box to Alice. Alice can open the box with the key of the padlock that 
has always remained only in her possession (private key). In principle, a copy 
of the padlock can be in possession of Eve but nevertheless she can not open 
the box in any way. In general this type of protocol is implemented by using a 
class of mathematical functions called one-way functions. These functions have 
the characteristic of being easily computed with any input but they are hard 
to invert. The terms "easy" and "hard" are in this context to be intended in 
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terms of computational time requested to solve the given problem. In partic- 
ular, a function can be considered "easy" to compute if the evaluation time is 
proportional to a power of the length of the input string (polynomial class). On 
the other hand, a function is said "hard" to compute if the time is instead an 
exponential function of the length of the input string. 

One of the unsolved problems in computer science is to prove the existence 
of these functions: all the functions that are generally included in this class 
are actually the ones for which an algorithm to solve them in polynomial time 
has not been found yet, but it is not proved that such an algorithm does not 
exist. In terms of functions Alice builds the public key f(x) and the private key 
f~ 1 (x). She sends f(x) to Bob. Bob computes the function with the message 
M and he obtains f(M). The fundamental concept is that obtaining f~ l (x) 
only with f(x) as a starting point is a "hard" task. Finally Bob sends f(M) to 
Alice and than she computes f~ 1 (f(M)) = M retrieving the message. 

The most important public-key protocol is RSA, originally invented in 1978 
by Rivest, Shamir and Adleman. The security of the protocol is based on the 
apparent difficulty of the integer factorization problem. The integer factoriza- 
tion is a much discussed problem. To date, the best way to solve it is the use 
of a class 0(exp((^L)3 (logL)^)) algorithm, where L is the length of the key. 
So this problem is "hard" to resolve as it need exponential computational time. 
Even if RSA is the most used cryptosystcm for commercial use, however, there 
is no proof that there cannot be more efficient algorithms. Based on current 
algorithms and computational power of computers, to ensure the security of the 
protocol, the key must be at least 2048 bits. In 1994, Peter Shor showed that a 
quantum computer would be able to solve factorization problem in polynomial 
time, thus giving the possibility to break RSA protocol [16]. 

1.4 Quantum Key Distribution 

Quantum states present some particular properties which can be exploited to 
perform a secure exchange of information between two parties. In particular 
to obtain a secure shared key to be used in a one-time-pad protocol. For this 
reason Quantum Cryptography was introduced or, more properly, Quantum 
Key Distribution (QKD). 

The first idea of Quantum Cryptography was proposed by Stephen Wiesner, 
at Columbia University in New York in the early 1970s. He introduced the 
concept of quantum conjugate coding. Initially his work was refused by IEEE 
Information Theory and it was published only in 1983 by SIGACT News (Special 
Interest Group on Algorithms and Computation Theory) [14j . About one year 
later Charles H. Bonnet and Gilles Brassard announced a protocol of quantum 
cryptography based on non-orthogonal states |15j . 

The most of the Quantum Cryptography protocols are based on the No- 
Cloning theorem. 

This theorem asserts that it is impossible to copy exactly (cloning) an a 
priori unknown quantum state. However, cloning is possible if the state belongs 
to a set of orthogonal states known. This is important considering a scenario in 
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which A and B decide to exchange information coded in the states of quantum 
systems. The most simple strategy that E can use is to intercept the state sent 
by A before it reaches B, to measure it, to copy it and then send the copy to 
Bob (intercept-resend attack). Let us consider two quantum states | ijj) e | <f>) 
to be cloned and an auxiliary state | s) which is intended to become the clone 
(target state). 

I V>> I s) -H V>> I 1&> (1) 

If it is possible to perform the cloning then a unitary operator U must exist 
such that: 

U{\ V) | a)) =| V) I 1>) 
U(\ 0) | S » =| 0) | <f>) 
and by taking the scalar product of the two equation one would obtain: 

(4> | </,) = (V U)<V 1$ ( 2 ) 

For the former equation to be true one should have (ip \ (f>) equal either to 1 
or 0, meaning that | ip) and | <fi) arc equal or orthogonal respectively. In any 
other case U does not exist so it is not possible to clone an a priori unknown 
quantum state. This means that if E tries to perform an intercept-resend attack, 
the states sent by E to B will be uncorrelated to the original states generated 
by A, leading to errors in the transmission that can highlight the presence of 
the eavesdropper. 

The first and most important QKD protocol was proposed in 1984 by Charles 
Bennet and Gilles Brassard during a conference in India [15]. This protocol in- 
volves the use of polarized photons in two non-orthonormal bases: one rectilinear 
( 1^) c I t )) an d one diagonal (\/*) |\)). Suppose that for each base the first 
state correspond to the bit and the second to bit 1. The protocol can be 
implemented as follows: 

• key transmission: Alice prepares a random sequence of bits (Table 2] a) 
and a random sequence of bases (choosing between the rectilinear and the 
diagonal one) ((4] b) to encode them. Bob prepares a random sequence of 
bases to perform the measurement [4] d). Alice then sends a succession 
of linearly polarized photons according to the chosen bits and bases [4] c) . 
Bob projects each photon according to the chosen bases and stores the 
results of the measurements; 

• public discussion: Alice e Bob announce on the public channel the se- 
quence of chosen bases. Bob keeps the results related to the measure- 
ments with compatible bases and discard the others. Alice also keeps 
the bits corresponding the states for which the same basis has been used. 
The sequences of bits obtained in this way by A and B are now iden- 
tical (assuming no noise and no eavesdropping). This is to be used as 
cryptographic key; 
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• error detection: To check for the eventual presence of E in the commu- 
nication channel, A and B sacrifice random portions of the shared string 
and publicly compare their positions and values (or the parities of corre- 
sponding subsets) before discarding them. The remaining bits are called 
sifted key. 
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Table 4: Scheme of BB84 protocol 



In the following years many experimental implementations of BB84 have 
been performed and several alternative protocols have been proposed, almost 
all of them based on the use of non-orthogonal states. Since this work is not 
intended to give an exhaustive review on that kind protocols, but rather in- 
troduce experiments which do not require such states, we refer on the subject 
to other important works [31 [H [TUl H21 H31 HU HZl HH1 ?, HH1 ?, [201 HH E21 1231 
[Ml 1251 1251 [271 [251 [25] , Let now us mention just another possible attack that 
can be performed by Eve. Eve's possible attacks discussed above are based 
on the attempt to get the maximum information out of the qubits exchanged 
between Alice and Bob. Eve can also adopt a completely different strategy: 
she can send herself signals in the quantum channel toward Alice's or Bob's 
secure zones. This kind of strategies are called Trojan horse attacks. Eve can 
send light pulses in the fibers entering in Alice's and Bob's systems and analyze 
the back-reflected light. In principle, with this analysis, is possible to deter- 
mine which detector just fired, which laser just flashed and which polarization 
is set. However, the back-reflected light is extremely low so this type of attack 
is difficult to perform. Eve, to avoid being revealed, can send light pulses with 
a wavelength completely different to that used for the protocol and in which 
A and B detectors are inefficient. This strategy can be prevented by the use 
of filter with a transmission spectrum corresponding to the sensitivity of the 
detectors. The mere fact that this type of attacks exists makes it clear that 
the security of QC cannot be guaranteed only by the use of quantum mechanic 
properties but also requires technological countermeasures. 



2 Goldenberg-Vaidman protocol 

In the following we introduce our first implementation of an experiment con- 
cerning QKD featuring orthogonal states. 



2.1 GV protocol: the scheme 

In the proposal [I], the orthogonal states sent by Alice are the superpositions 
of two localized wave-packets, which do not travel simultaneously to Bob, being 
separated by a fixed delay. There is a direct correspondence between the state 
prepared by Alice and the bit received by Bob, for instance 

-H*o> =^(|o) + |6)) 

1 -H*i) =4(|o>-l&». 

where \a) and \b) are two localized wave-packets and the states j^o) an d l^i) 
are orthogonal. The states |^o) and \^i) arc emitted randomly in time, and 
the presence of an eventual eavesdropper can be detected by legitimate users 
exploiting the information on the detection times PQ. 

The protocol works as follows: Alice sends Bob either the state |^o) or l^i)- 
The insertion on the quantum channel of the wave-packet \b) is delayed 
for some amount of time r with respect to the insertion of wave-packet \a). 
t is chosen larger than the traveling time T of photons between Alice's and 
Bob's locations. Since \b) travels through the quantum channel only after the 
wave-packet \a) has already reached Bob's site, both wavw-packets are never 
simultaneously present in the quantum channels. Nonetheless, the requirement 
of r greater than the traveling time T is not strictly necessary. 

in- 

Our proof-of-principle experiment jllj exploits a balanced Mach-Zehnder In- 
terferometer (MZI) with two equal optical delays OD\ and OD^- According to 
Fig. 1, sources of single photon So and S\ at the two input ports of the beam 
splitter on Alice side provide single photons propagating in the transmission 
channel in the state l^o) or \^\) respectively. The emission time of the single 
photon in one of the two states is absolutely random, but it is registered by 
Alice. 

while the \b) is stored in ODi, wave-packet |o) travels from Alice's to Bob's 
locations along the upper channel and enters in OD2, where it is delayed until 
also \b) reaches Bob's site. Thus the two packets interfere as they simultane- 
ously reach the second beam-splitter. A click of detector Di deterministically 
implies that the single photon state was in the state that is, it was sent by 
source Si- Two security tests are performed by Alice and Bob to highlight the 
possible presence of an eavesdropper. The first is a public comparison between 
the sending times t s and the receiving times t r for each photon. If we suppose 
that the traveling time between the two parties is T, only the events detected at 
time t r = t s + t + T are considered as part of the message, while all the others, 
highlighting the presence of Eve, are discarded. The second one is the compari- 
son of corresponding segments of the users' bit strings to estimate the quantum 
bit error rate (QBER). We underline that in the ideal case discrepancies in the 
transmission/detection times or in the bit strings can only be induced by Eve. 
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Figure 1: Experimental GV protocol set-up. A single photon source (real- 
ized exploiting an heralded single photon source based on parametric down- 
conversion (PDC) obtained by pumping with a 406 nm CW laser beam a type I 
BBO crystal) can be injected deterministically in either of the two input ports 
(Sq, Si) of a balanced Mach-Zchnder Interferometer (MZI) , encoding (respec- 
tively) bit or 1. The choice is random and performed by passive optics. Alice's 
site is composed by So, Si and the first optical delay (ODi). Bob's location 
is composed by the second optical delay (OD2, identical to ODi) and the two 
single photon detectors (Dq,Di). 



For the sake of completeness, let us mention that it was argued by Peres [31] 
that this protocol introduced no novel features with respect to BB84. Golden- 
berg and Vaidman replied to this claim by stating that while in other protocols 
(like BB84) the security is obtained by virtue of non-orthogonality, in GV pro- 
tocol it is due to causality, since they proved that supcr-luminal signaling would 
be required for a successful eavesdropping pQ. Furthermore, while all crypto- 
graphic schemes require two steps for sending information (sending the quantum 
object and then some classical information) , in GV protocol only the first step is 
needed for communication, the second step being used only for ensuring security 
against eavesdropping. 

2.2 GV protocol: the experimental setup 

The setup of the experiment [11) representing the first realization of the GV 
protocol is shown in Fig. 1. The single photon states are obtained exploiting an 
heralded single photon source based on parametric down-conversion (PDC) |30j . 
A CW 100 mW Coherent Cube diode laser system at 406 nm is used to pump a 
BBO type I crystal. PDC photons pairs at degeneracy (812 nm) are emitted in 
slightly non-collinear regime (three degrees with respect to the pump direction). 
The heralding photons are selected by means of 1 nm bandwidth interference 
filters, collected in a multimode optical fiber and detected by Single Photon 



10 



Avalanche Photo-diodes (SPAD) detectors. The heralded single photon, the 
carrier of the information to be exchanged between Alice and Bob, is collected in 
a single mode optical fiber (a 10 nm interference filter is placed on the heralding 
arm only for background suppression). The CW laser operation ensures the 
generation of photon pairs at random time, and the detection of one photon of 
the pair in the heralding arm provides the temporal information on the emission 
of the single-photon, as requested by the original proposal. To perform the 
proof-of-principle of the QKD scheme, Alice sends bit or 1 by addressing the 
encoding photon to the proper input port of the MZI (5*0 or S\ respectively). 
In our case, this can be achieved just switching the optical fiber from one input 
port to another. It is noteworthy to observe that in practical QKD systems 
this can be realized exploiting a commercial fast optical switch controlled by 
a random number generator. Bob detects the single photons at the output of 
the interferometer. The balanced MZI contains both the optical delays and 
the transmission channel between the users. In particular, after the input BS 
at the Alice side one arm of the interferometer contains a delay line, while on 
the other arm the delay line (both delays are based on trombone prisms) is 
located at Bob's side. The positions of the trombones in the optical delays are 
adjusted via a closed loop piezo-movement system with nano-metric resolution. 
Detection events after the output BS of the interferometer are revealed by SPAD 
detectors operating in Geiger mode. The electronics highlighting the presence 
of coincident detections is based on Time-to- Amplitude-Converter and Multi- 
Channel-Analyzer. In our case the temporal condition for the security of the 
QKD scheme is satisfied because the jitter of our detectors (i. e., the uncertainty 
in the measurement of the transmission/detection times) is about 300 ps, while 
the length of the delay lines is approximately 60 cm corresponding to a storage 
time of ^2 ns. Furthermore, as the signal corresponding to the detection events 
on the heralding channel (containing the information on t s ) is properly delayed 
before exiting from A site, Eve can never access the timing information before 
the transmission of each photon is concluded. 

The stability of the interferometer has been tested by scanning the position 
of Alice's trombone prism with Bob's one kept at a fixed position. Fig. 2 shows 
the interference fringes of heralded counts. The visibilities (V) are well above 
80%, irrespective of which port of the input beam splitter is used to inject the 
single photon in the interferometer. Even if, in recent years, very high visibilities 
have been achieved in similar setups [32j[33], the results we obtain are absolutely 
comparable with those of several important works [34] 35 , 36 , 37 and they are 
absolutely sufficient for a meaningful proof-of-principle of the GV protocol. 

2.3 Results and discussion 

The quality of the transmission is quantified by the Quantum Bit Error Rate 

(QBER = p— P ™+°pZ 1 wriere Pmght (Pwrong) is the probability for Bob to 

receive a bit value which is equal to (different from) the one sent by Alice), 
measured to be 7%. This result has been proven to be stable for hundreds of 
seconds as shown in Fig. 3. The main results of our transmission arc summarized 
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Figure 2: (Color online) Number of detected events per second at detector D 
and D\ as a function of the path length difference Al between the two arms of 
the interferometer for source So (top picture) and Si (bottom) . visibility of the 
observed fringes is reported in Tab 1. 
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Figure 3: Detection events at both detectors D\ and Do- Top: source So is 
active, corresponding to the transmission of a string of bit 0. Bottom: source Si 
is active, corresponding to the transmission of a string of bit 1. The evaluated 
Quantum Bit Error Rate (QBER) in the two cases are QBER S \ = 0.071±0.014 
and QBERso = 0.070 ± 0.016 on a series of 60 measurements 5 seconds long, 
showing a remarkable phase stability of the interferometer. 
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in Table I. 





V D0 


v D1 


QBER 


5*0 


(89 ± 1)% 


(82 ±1)% 


(7.0 ± 1.6)% 


SI 


(88 ±1)% 


(85 ±1)% 


(7.1 ±1.4)% 



Table 5: Main results obtained in our implementation of the QKD protocol 
proposed in Ref. [T]. Vdo, Vbi are the visibilities of the interference fringes 
observed at the two outputs of the interferometer by scanning the path length 
difference, QBER is the estimated quantum bit error rate for the transmission. 

Finally, some observations regarding the security of this QKD system. De- 
spite the fact that an unconditional security proof of the GV protocol is still 
not available, we note that an efficient eavesdropping strategy against its ideal 
realization has not been found yet. On the contrary, it can be shown that, if a 
multi-photon component is present in the signal, an eavesdropper (Eve) can gain 
information on the key by performing a beam-splitter attack. For example, Eve 
can insert a beam-splitter, in both paths in such a way that the transmitted pho- 
tons continue traveling toward Bob while measuring the outputs in the reflected 
modes with a duplicated Bob's detection apparatus. In order to successfully do 
this Eve should be present since the initial tuning of the interferometer. The 
security issue in QKD protocols based on single photons due to the presence 
of multi-photon components is a very deeply investigated subject [3J @] , which 
demands ultimately the use of efficient single photon sources. In particular, our 
heralded single photon source, presenting a <r 2 '(0) = 0.06 ± 0.01, is a good ap- 
proximation of an ideal single photon source, thus the information obtained by 
an eventual eavesdropper exploiting the presence of multi-photon components 
is negligible. In fact, if we attribute the measured QBER value, due to experi- 
mental imperfections, to an attack performed by an eavesdropper, the amount 
of information on the key obtained by this attack will be much greater than the 
one obtained from a beam-splitting attack on our "almost ideal single photons" . 

3 Counterfactual Quantum Cryptography 

In the following we describe the first implementation of a counterfactual QKD 
experiment (Noh09 Protocol). After the introduction of the mechanism of 
the counterfactual measurement via the description of famous Elitzur-Vaidman 
bomb tester we briefly describe the theoretical proposal, we show the details of 
the implementation, we present the experimental data and discuss the results. 

3.1 Elitzur-Vaidman bomb tester 

The Elitzur-Vaidman bomb tester |39j is a gedanken experiment that shows the 
peculiar quantum counterfactual effect. Consider a collection of bombs, some 
of which are duds while the remaining ones are usable. The bombs have a 
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particular property: each bomb has a perfect photon-triggered sensor which 
whenever a photon is absorbed causes the bomb to detonate. We assume that 
the efficiency of this sensor is 100% so that all photons that pass through the 
sensor will be absorbed. The dud bombs has a malfunctioning sensor that will 
not interact with any photon. The problem is how to separate dud bombs 
from usable ones without detonating all bombs. For solving this problem the 
authors proposed a mode of observation known as countcrfactual measurement 
or interaction- free measurement. Basically the bomb to analyze is positioned 
on one arm of a Mach-Zehnder interferometer. If there is not any bomb, the 
photons, due to single photon interference, arc detected always from the same 
detector. Assume now that this detector is dubbed detector A and that a bomb 
is introduced. If the bomb is dud nothing changes because it does not interact 
with photons, so they are still detected by detector A. If the bomb is usable, the 
interference is broken. In fact, if a photon passes on the lower branch it will be 
absorbed by the bomb and it will cause the explosion; instead if it passes on the 
upper branch, the photon has a 50% probability to be absorbed by detector A 
and 50% to be revealed by detector B. So, if the photon is detected by detector 
B it is certain that the bomb is usable, otherwise we can't conclude nothing. 
After the examination of all bombs we will identify about 25% of usable bombs 
and detonate about 50% of these. If we repeat the measurement many times, 
we are able to discriminate at maximum the 33, 3% of usable bombs. In 1994 
the experimental proof of this system was realized [4"0]. 

3.2 N09 Protocol: the proposed scheme 

The protocol was proposed by Tae-Gon Noh in 2009 (N09) and it presents a 
main difference from the previously described protocols: by implementing this 
protocol it is possible to perform the secret key distribution without letting the 
particle that carries the information even travel through the quantum channel. 
This has the clear advantage from the point of view of security that no eaves- 
dropper can have direct access to the quantum system of each particle involved 
in the communication. In figure [4] (a) the scheme proposed by Noh to realize 
his protocol is shown. 

Before the description of the implemented protocol it is useful to give a 
brief description of the ideal scheme according to the setup originally proposed 
by the author (figure 1 of paper [5]), which requires the use of a Michelson 
interferometer. 

Alice randomly rotates the single photon polarization (which originally is to 
be assumed horizontal) by means of a half wave plate (HWPA) , either by (bit 
value "0") or by ir/2 (bit value "1"). Then, the photon enters one port of a 
50 : 50 beam splitter (BS), which is the first element of a Michelson interferom- 
eter. After BS, according to the polarization, the photon is in one of the two 
orthogonal states: 

\cf>o) = (\0)a\H) b +i\H) A \0) B )/V2 (3) 
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|<M ={\0) A \V) B + i\V) A \0)B)/y/2 



(4) 



The path A of the interferometer (containing an optical delay OD and a mirror) 
is inside Alice's sector, while path B reaches Bob's one. 

Bob then randomly selects one of the two polarisations and detects the pho- 
ton in this polarisation allowing the photon in the complementary polarisation 
to fly back to Alice's site. This is realized by the HWPB and the Polarizing 
beam splitter (PBS). As the PBS addresses the \V) photon towards D2, while 
\H) photon is sent towards the mirror (M), rotations of the polarization of and 
7r/2 induced by the HWPB correspond to the detection of \V) and \H) photon 
state by D2. If the photon is not detected by D2 but reflected back by M it 
passes through the HWPB in the selected position, thus the photon gains back 
its original polarization state interfering with itself at BS at Alice's site and, for 
a proper tuning of the optical delay OD, it deterministically exits in DO. 

When Alice and Bob select complementary polarization rotations, then ei- 
ther the photon is transmitted by BS and detected by Bob at D2 with 50% 
probability (since its polarization at PBS is vertical), or it is reflected in path 
A. In this case the photon, after passing through the OD twice, returns to the 
BS and then it is reflected or transmitted with equal probability (25%). The 
first case leads to the clicking of DO, the second corresponds to the photon ar- 
riving at D1H or D1V detectors depending on whether its polarization (selected 
via another PBS) is horizontal or vertical. 

After the detection is completed Alice and Bob can communicate each other 
whether or not each of the detectors clicked. If clicked either DO or D2, with 
the purpose of detecting the intervention of an eventual eavesdropper, they an- 
nounce both the detected and the initial polarization state. If D1H or D1V 
clicks, Alice compares the initial and final polarization states: if they are con- 
sistent she docs not reveal any information, otherwise she announces her result. 
Alice and Bob can then establish a common key by using only the events when 
the photon was detected at D1H or D1V (with the correct polarization). 

The only apparent difference between the scheme discussed here and the 
original proposal in Rcf [2] is in the apparatus used by Bob to detect the photon 
at D2. Nonetheless the one shown accomplishes exactly the same task, thus the 
two schemes should be considered absolutely equivalent. The original scheme 
also does not show explicitly the polarization selection system of the photons 
as we did with the introduction of D1H and D1V, but the polarization check is 
declared to be necessary. 

The very interesting point of this scheme is that the selection of events only 
at detector Dl correspond to photons that have traveled path A, i.e. never 
exited Alice's sector. Therefore, the task of creating a secret key has been 
accomplished without any photon carrying the information having been outside 
Alice's laboratory. 

In Ref. [47] a more efficient and complicated CQKD was proposed, whereas 
security issues of the N09 protocol were considered in Ref. [48] , where it was 
proved its unconditional security by considering its equivalence to an entangle- 
ment distillation protocol. Finally, very recently, a security proof for intercept- 



16 



Bob | — — i \-f 




(a) 




Figure 4: (a): scheme of the setup for Counterfactual QKD experiment equiv- 
alent to the one proposed by by Noh [2] . (b) Setup of the implemented version 
of the protocol. A 100 mW laser source at 406 nm is used to pump a BBO type 
I crystal. In the degenerate regime, one of the PDC twin modes is used as her- 
alded single photon and travels in the Mach-Zehnder interferometer including 
the two parties and the quantum channel. For each photon A and B perform 
randomly and independently either of two possible polarisation rotations (0 or 
7r/2), by means of half-wave plates (A/2). Detection events at the output ports 
of the interferometer and at the control output are revealed by Single Photon 
Avalanche Photodiodes (DO, Dl, D2). The choice of equal polarization rota- 
tions leads to interference and consequently in the deterministic clicking of DO, 
while the choice of complementary angles results in the statistical distributions 
of the clicks among the three detectors. In the latter case, the events revealed 
by Dl correspond to the exchange of one bit of information between the users 
without the transmission of any photon through the channel. 



resend attacks in realistic situation (non unit detector efficiency and presence 
of dark counts) was provided [49] . 

A first attempt to realize experimentally Noh's scheme is reported in Ref. 
[50] . However, this set up missed the key element of CQKD, since the photon 
was indeed transmitted between Alice and Bob. 

3.3 N09 protocol: the experimental setup 

In the following wc present the results of our equivalent implementation of the 
protocol which is completely analogous to the one of Fig. 1(a), but it is based 
on a Mach-Zehnder interferometer instead of a Michelson interferometer and 
which is the first real proof-of-principle implementation of counterfactual QKD. 
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In our experimental set up, as shown in Fig. 1(b), a heralded single photon 
source exploiting parametric down-conversion (PDC) is used : a 100 mW laser 
emitting at 406 nm in continuous-wave regime pumps a typc-I BBO crystal 
producing degenerate PDC at 812 nm. The emission of the PDC photons is 
slightly non-collinear corresponding to an emission angle of approximately 3° 
with respect to the pump direction. The heralding photon after passing through 
a 10 nm bandwidth interferential filter and a 4 mm wide pinhole is coupled to a 
multi-mode fiber and addressed to the trigger detector. The heralded photon, 
to be used as our true single photon state, is selected by an interferential filter 
(1 nm FWHM) and coupled to a single mode fiber leading to the input of the 
interferometer . 

The latter is a balanced Mach-Zehnder Interferometer (MZI) in which each 
arm has an adjustable trombone prism. One of the two arms is entirely included 
in Alice's site, while the other contains both the quantum channel and Bob's site, 
the latter being composed by a PBS between two half- wave plates (HWPB1, 
HWPB2) and D2 detector. 

The choice of the Mach-Zehnder in place of the Michclson interferometer 
allows to simplify the apparatus, for example the optical circulator in no more 
necessary even if the scheme is in principle equivalent to the proposed one. 

The balance of the interferometer is guaranteed by a closed-loop piezo- 
electric movement system, which stabilizes the position of one of the trombones 
regulating the length difference between the two optical paths inside the MZI 
with nanometric resolution. 

The outputs of the interferometer, after spatial selection via 1 mm diameter- 
wide irises, are then coupled in multi-mode fiber with no further spectral se- 
lection. A polarizer (pol) is also placed before Dl to check the polarization 
of the incoming photons. All the signals (including the heralding photons and 
D2 clicks) are revealed by Single Photon Avalanche Detectors (SPADs) with a 
w 60% detection efficiency at 812 nm. 

Coincidence and time-tag analysis of the incoming signals are performed by 
means of PicoQuant HydraHarp 400 multichannel picosecond event timer. All 
the reported data were acquired in measurements of 20 seconds. Our results 
show good agreement with the theoretical predictions and represent a proof of 
principle of the experimental feasibility of CQKD. 

In Fig. 2 interference fringes with high visibility can be observed in the 
coincidence counts between the heralding channel and each of the MZI output 
detectors DO and Dl as a function of the displacement of the prism balancing 
the interferometer (within the coherence length of the signal, which, according 
to the filters used, is of the order of hundreds of /im) when Alice and Bob use 
compatible sets of polarization rotation angles ({9a, &b} = {0, 0} or {6a, &b} = 
{tt/2, 7r/2}). It can also be noticed that for this choice of angles the D2 counts 
are consistent with zero as expected. In particular, when no rotation at all is 
performed ({0,0}), the maximum visibilities are (92 ± 4)% for DO and (96 ± 
4)% for Dl, while interference gets slightly spoiled for {iy/2,tt/2} where the 
visibilities for DO and Dl are respectively (87±4)% and (91 ±4)%, values which, 
nonetheless, are sufficient for the proof of the protocol. The uncertainty on the 
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Figure 5: Coincidence counts between the heralding channel and each of the 
MZI output detectors DO, Dl and D2 in 20 seconds acquisitions as a function 
of the displacement of the prism balancing the interferometer when Alice and 
Bob use compatible sets of angles (top figure: {0, 0}; bottom figure: {7r/2, tt/2}). 
For this choice of angles an interference pattern (with visibilities generally above 
90%) can be observed in the DO and Dl counts and also control counts (D2) 
are consistent with zero as expected. 



19 



♦ DO 




Time (s) 



Figure 6: Counting events showing the stability of the interferometer in a half- 
an-hour long measurement when the balance of the two optical paths is fixed. 




Figure 7: Proof of transmission for the four possible angle choices for A and 
B. The segments in which DO and Dl counts are approximately equal, cor- 
responding to the angles ([0,7r/2];[7r/2,0]), are the ones relative to the actual 
transmission of information. In those events, the clicking of Dl delivers a bit of 
shared information between the users even if no real photon photon travels in 
the quantum channel. The estimated value for the QBER of the communication 
is (12 ± 1)% 
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visibilities is obtained assuming a Poissonian distribution for the coincidence 
counts. Fig. 3 shows the stability of the interferometer in a half-an-hour long 
measurement when the balance of the two optical paths is fixed. 

The performances of our key distribution process are summarized in Table 
I. Corresponding to the angles {0,7r/2} and {ir/2,0}, Dl and DO counts are 
approximately equal, as in this condition no interference should be present. 
These are the events relative to the actual transmission of information. In fact, 
the clicking of Dl delivers a bit of the secret key between the users even if no 
real photon travels in the quantum channel. 

In order to characterize the communication it is necessary to estimate the 
Quantum Bit Error Rate (QBER) defined as the ratio between the probability 
for Bob to register an incorrect bit and the sum of the probabilities of getting 
either a correct or an incorrect bit. In our case Bob gets an incorrect bit when 
Dl clicks even if Alice and Bob use the same angle of polarization rotations 
and the events related to the correct transmission are those in which Dl clicks 
when interference is destroyed. Furthermore, we notice that when Alice and 
Bob use complementary polarizations the amount of photons with the wrong 
polarization detected by Dl is effectively null when dark counts are subtracted. 
We can thus define QBER as 

QBER = — %g (5) 

*D±,int T -t Di,nint 

where PD x ,mt is the probability for Dl to register a photon when Alice's and 
Bob's polarization rotations are equal, such that there is (destructive) interfer- 
ence, and PDt^int is the analogous probability in the case in which Alice and 
Bob choose different angles. 

For our measurements the mean QBER is QBER = (12 ± 1)%. We un- 
derline that all the reported measurements are obtained without subtraction of 
background and accidental counts. If we account for these contributions, the cor- 
rected QBER value decreases noticeably to QBER' = (7± 1)%, as would be the 
case if more reliable detectors were used, such as detectors affected by a lower 
dark count rate. As already mentioned, the protocol has been demonstrated 
absolutely secure when ideal single photon sources are employed. To address 
the security problems eventually raised by the practical implementation of the 
protocol, firstly we tested it against possible photon-number-splitting attacks, 
i. e. we investigated the quality of of our heralded single photon source. From 
the measured count rates we obtained a value of 52(0) = (7± 5) * 10 -9 , which 
clearly shows negligible presence of multi-photon components. The reason for 
such a small value is related to the very low level of count rates (180 maxi- 
mum in 20 seconds acquisitions) at the detectors. This is basically due to the 
poor coupling efficiency of the heralded source (approximately 5%), the strict 
spectral selection on the heralding photons (1 nm FWHM filtering with 26% 
transmittance) , and also because of the spatial selection at the interferometers 
output (we used irises as narrow as 1mm in diameter to optimize the visibility 
of the interference fringes). Furthermore, a small temporal detection window (1 



21 



ns) was selected in correspondence of the arrival of the heralding photon. Be- 
cause of this temporal post-selection we mention that unheralded photons may 
travel inside the channel and Eve may exploit that to get significant informa- 
tion by intercepting them. In order to overcome this security issue, shuttered 
heralded single-photon sources [53J should be considered a valuable solution, as 
they present comparable performances with respect to the non-shuttered ones. 
Future developments of the scheme will include shuttered sources together with 
stabilized fiber interferometers for wider distance. 

We also address the issue of robustness of the protocol against more general 
attacks by computing the difference m = Iab — Iae, where Iab (Iae) is the 
mutual information between Alice and Bob (Alice and Eve) , in the cases of gen- 
eral Intercept-Resend attacks and "Time-Shift" attacks. Following the models 
suggested in Ref. [49], one can express m for the intercept-resend attack as 

m IR = P m [l - h(-^)], (6) 

where Pdi, Pel are respectively the click probability and the error probability at 
Dl and h(x) is the binary Shannon Entropy. We mention that P e \ in principle 
includes not only the probability to register counts at Dl when they are not ex- 
pected (0, 0,7r/2, 7r/2), but also the probability to detect a photon at Dl with the 
wrong polarization. The latter probability has been estimated by counting the 
rate of photons impinging in Dl when the polarizer before it is set orthogonally 
to the polarization selected by Alice for each of the four angle combinations. 
According to the measured counts (1.45 ± 1.16, 1.2 ± 1.5, 0.95 ± 1.24, 0.8 ± 1.2; 
in 20 seconds acquisitions), we estimated a mean value for this probability of 
(4±3)*10" 6 . 

Regarding the time-shift attack, where Eve exploits the non-ideality of the 
detectors, one must subtract from the previous value two contributions, obtain- 
ing: 

mTs =miR- 7 - AI AE (r)), (7) 

where 7 accounts for the maximum corrupted bit rate due to dark counts and 
A Iae (jl) = ^^(Pd2 — Pe2) is the increment of the mutual information between 
A and E due to non-unit efficiency of the detectors. 

Both values calculated from the collected data are positive (mm = 0.23 ± 
0.04, rriTs — 0.15 ± 0.06), ensuring the possibility of distributing a secret key 
[3JS] 

Altogether our results provide a satisfying proof-of-principle of the QKD 
scheme realized in free-space. Nonetheless, recent results on the implementation 
of high stability fiber based Mach-Zehndcr interferometers (over distances of the 
order of some km) [5TJ (52] certify the possibility of exploiting this protocol in 
"real-life" (as well as commercial) applications. 
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{0,0} 


{0,^/2} 


{n/2,n/2} 


{tt/2,0} 


Cdq 


180 ±4 


59 ±2 


159 ±4 


59 ±2 


Cdi 


7.9 ±0.9 


53 ±2 


7.2 ±0.9 


59 ±2 


Cd2 


6.6 ±0.8 


85 ±3 


5.4 ±0.7 


86 ±3 


v DQ 


(92 ± 4)% 


(0 ± 4)% 


(0 ± 4)% 


(87 ± 4)% 


Vdi 


(96 ± 4)% 


(0 ± 4)% 


(0 ± 4)% 


(91 ± 4)% 


QBER 


(12 ±1)% 



Table 6: Resume of the main results in the implementation of the CQKD pro- 
tocol proposed in Ref. [2]. Each column refers to a set {9 a, 0b} of polarization 
rotation performed by the users and Cdi labels the mean coincidence counts 
at the i-th detector in acquisition of 20 seconds. Vdq, Vdi are the visibilities 
of the interference fringes observed at the two outputs of the interferometer by 
scanning the path length difference between the two arms of the MZI. QBER 
is the estimated quantum bit error rate for the transmission. 

4 Conclusion 

In this paper we presented an overview on our recent results regarding the first 
proofs of principle of two novel QKD schemes using only orthogonal states. The 
experimental results demonstrate the security of those protocols while, on the 
one hand, they prompt to a further optimization of the schemes, on the other 
hand they offer groundbreaking contribution in the discussion on the resources 
actually needed to perform secure QKD. The research leading to these results 
has received funding from the European Union on the basis of Decision No. 
912/2009/EC (project IND06-MIQC), by MIUR-FIRBRBFR10UAUV, and by 
Compagnia di San Paolo. 
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